This post was originally published here: post

 

Yesterday’s Executive Order on “Enhancing Public Safety in the Interior of the United States” triggered alarm among privacy advocates in the U.S. and EU about the continued viability of the economically important Privacy Shield agreement.  Extending certain rights conferred by the Privacy Act of 1974 to EU citizens was “a long-standing demand of the EU” and a key element of the deal that secured Privacy Shield.  In addition, the U.S.-EU “umbrella agreement” for law-enforcement data-sharing requires the U.S. to grant Europeans these rights.

Section 14 of yesterday’s Order, read in isolation, appears to instruct federal agencies to deny Privacy Act protections to Europeans:

Sec. 14.  Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.  

Fortunately, our preliminary analysis is that the Order does not actually deny Privacy Act protections to Europeans.  An Executive Order, of course, cannot supersede a statute—which Section 14 implicitly acknowledges with its caveat “to the extent consistent with applicable law.”

The “applicable law” here is the Judicial Redress Act of 2015, codified at 5 U.S.C. § 552a note.  The Judicial Redress Act extends the right to sue conferred by the Privacy Act to citizens of “covered countries” designated by the Attorney General.  And on January 17, 2017, in a little-noticed move, the Attorney General designated 26 countries and the European Union as